How do I create Access Control Level (ACL) list object in bootstrap server and send it to client ?

[Muthuiot]

Hi Team,

I would like to create an ACL object in bootstrap phase which will be later used by leshan server and client.
I want client to support multiple servers, How do I enable this at client side ?

Tried with below ACL configuration changes in LWM2M_Access_Control-v1_0.xml

Added ACL owner as short server id

123
R
Single
Mandatory
Integer
0-65535

Could you please help me in this ?

Thanks,
Muthu

[sbernard31]

ACL is not supported for now.

For Leshan Client, I didn't think about that so much but it could be possible to create your own ACL object and use it in a custom ObjectEnabler does allow or not allow request on client.

For Leshan Bootstrap, this is not implement at all and the current design does not allow to implement it by your own without modifying the Leshan Bootstrap code.

Implementing ACL is not in our priority for now but I open an issue #404 about that just to trace the community needs.

[Muthuiot]

Thanks sbernard31 for the quick response.

It would be great if you could provide me with some hint on how to create a custom object enabler at client side ?

[sbernard31]

When you create your LeshanClient via LeshanClientBuilder you need to give a list of LwM2mObjectEnabler

The easy way is to use ObjectInitializer.

But you as you want to add right authorization before to accept request you should create a smarter LwM2mObjectEnabler than the default one.

Have look at BaseObjectEnabler or ObjectEnabler. You should probably inherit from one of them to add a way to check ACL.

Note that your class will need access to the "ACL ObjectEnabler" or another structure which contains ACL information.

This will not be so easy but should be feasible.

[Muthuiot]

I have created a class named - AccessControlList which extends BaseInstanceEnabler class and added below code in client-demo
initializer.setInstancesForObject(ACCESS_CONTROL, new AccessControlList());
List enablers = initializer.create(SECURITY, SERVER, ACCESS_CONTROL, DEVICE, LOCATION,
OBJECT_ID_TEMPERATURE_SENSOR);
AccessControlList class is empty not having anything. here after how do i proceed to achieve ACL support with Leshan server.
Below is the bootstrap server response .

Bootstrap finished ServersInfo [bootstrap=Bootstrap Server [uri=coaps://localhost:5684], deviceMangements={123=DM Server [uri=coaps://localhost:5674, lifetime=20, binding=U]}].

Please help me on this.

[sbernard31]

It seems you try to add ACL support to your client and you test with Leshan bootstrap server which does not support ACL.

What did you expect ? oO ?

[Ross1503]

Hi Sbernard31,
when we connect lwm2m client with leshan server through bootstrap server, lwm2m access control object is not enumerating on leshan server GUI, is it not supported yet?? and what effect in may cause on functionality of other objects?

[sbernard31]

and what effect in may cause on functionality of other objects ?

Today, ACL is not supported at client and bootstrap server side : https://github.com/eclipse/leshan/wiki/LWM2M-Supported-features

ACL is mainly useful if your device is connected to several LWM2M servers and you want to define specific right to each server. (e.g. limit firmware object access to server 1 so this would be the only one to be able to do a firmware update...)

Currently Leshan client support maximum 1 LWM2M server, so ACL is not so useful..

and what effect in may cause on functionality of other objects?

Leshan client support only 1 LWM2M server and this server will have all the right on all the client objects. Probably the more common use case.

[Ross1503]

Currently Leshan client support maximum 1 LWM2M server, so ACL is not so useful..
i think client supports more than 1 lwm2m server if we connenct directly to lwm2m sereve, it doesn't support multi server connectivity using same bootstrap server, as in bootstrap server we can not create multiple entries for same end point.
am i getting it right?

[fdur]

Hi Ross1503,
using Leshan server, it's possible to configure the Leshan bootstrap server to support several LwM2M servers but you need to use REST APIs in order to configure the bootstrap data to be sent to the client.
I'm able to do such configuration using locally the Leshan server: 1 bootstrap server and 3 LwM2M servers are running locally on my host
Using Leshan UI, you're right, it's not possible to configure the bootstrap server in order to support several LwM2M servers for one client and I think that the reason is simple:
We only have one address for Leshan bootstrap server demo and one address for Leshan LwM2M server demo

[sbernard31]

@Ross1503, I'm not sure to understand you but I will try to answer anyway:

About Leshan client, it currently supports only 1 LWM2M server at the same time.
See in the code : after a bootstrap, client could have several servers but we only register on the first one.

About bootstrap server, it's possible to use LeshanBootstrapServer to set several LwM2M servers on a LWM2M client.

If we talk about the demo leshan-bsserver-demo : @fdur is right. , the REST APIs allow you to do that but not the web UI.